Sundown Is Just a Bunch of Exploits Stolen from Other Exploit Kits

Sundown EK fails to improve market share among fellow EKs. The Sundown exploit kit (EK), which has been trying to fill the void left by the death of the Angler and Nuclear EKs, is nothing more than a collection of copy-pasted exploits, according to Trustave’s SpiderLabs team.

Sundown, first spotted in June 2015, was for a long time a tiny player on the EK market, always inferior to its competition, something that even its creators knew, and rarely bothered to update their tool.

Sundown saw a surge of activity after Angler’s death

Things changed after Angler and Nuclear disappeared from the market this spring, something noted by Zscaler three months ago in June when the company reported a surge of activity from Sundown’s creators, the Yugoslavian Bussiness Network (YBN).

Three months later, Trustwave says that this increase in activity did yield an enhanced exploit kit, but not in the way many expected.

Instead of developing their own exploits, the Sundown crew just stole exploits from other EKs or copy-pasted the ones that were freely available online.

According to a technical analysis of the Sundown exploitation chain, Trustwave researchers found four different exploits.

They say YBN stole the first from Angler (IE exploit – CVE-2015-2419), the second was stolen from the RIG EK (Silverlight exploit – CVE-2016-0034), the third took from the Hacking Team data dump (Flash exploit – CVE-2015-5119), and the fourth they stole from the Magnitude EK (Flash exploit – CVE-2016-4117).

Neutrino and RIG remain top exploit kits

The Angler crew, which was actually a group of criminals that originally developed the Lurk banking trojan, was famous for always adding new exploits to their EK as they appeared on the market.

Almost certainly, the YBN crew won’t gain new customers unless they start offering better exploits, but also newer exploits. The group also needs a larger arsenal, since four-five exploits are hardly enough to cover all the bases for a serious malvertising campaign.

Sundown’s lackluster effort is also the reason why in a recent Zscaler report Neutrino and RIG are listed as the top two exploits, with Magnitude and Sundown bringing up the rear.

According to Zscaler, in the past few months, Neutrino was mostly used for delivering the Gamarue malware dropper, the Tofsee backdoor trojan, and the CryptXXX and CripMIC ransomware.

On the other hand, Rig distributed Tofsee, the Cerber ransomware, and the Gootkit and Vawtrack banking trojans. Magnitude continued to spread Cerber ransomware, as it always has.